Creating Users with Data-Dependent
Authorizations
Use
You perform the steps described in the following sections to create special user roles with authorizations restricted to specific data.
Prerequisites
You must have
created the corresponding authorizations beforehand (see
User Roles for
further information).
Creating Users and Roles (User Groups)
Perform the following steps to create users and roles in AS-ABAP.
Since ABAP roles are mapped to J2EE user groups, the term role used in an ABAP context means user group in J2EE.
...
1. Use transaction SU01 to create a user, for example CUST_USER.
2. Use transaction PFCG to create a composite role, for example CUST_USER_ROLE, by either creating a new role or copying an existing role.
○ If you create a new role, ensure that you assign XXX_ABAP and XXX_J2EE single roles to this role, with XXX = SAP_XI_DEVELOPER, SAP_XI_CONFIGURATOR, or SAP_XI_CONTENT_ORGANIZER, depending on whether your new role is a developer, configurator, or content organizer.
○ If you copy an existing role, for example, SAP_XI_DEVELOPER for a restricted developer role, or SAP_XI_CONFIGURATOR for a restricted configurator role, ensure that this role is completely copied to the new role, but disable the copying of contained *ABAP and *J2EE single roles.
For more information, see Changing Dialog User Roles.
3. Delete all users from the role created in the previous step.
4. Use transaction PFCG to assign the user created in step 1 to the role created in step 2.
Assigning Roles to User Groups
Perform the following steps to assign ABAP roles to user groups in AS Java.
...
...
1.
Start the AS Java
user administration
console.
2. Choose Identity Management.
3. Search for the new role and select it.
4. Choose Assigned groups and then choose Modify.
5. Search for the user group (corresponding to the ABAP role) of interest in the Available Groups frame.
6. Select the group and choose Add.
7. Check the assignment in the Assigned Groups frame.
8. Choose Save All Changes.
For more
information, see
Assigning Principals
to Roles or Groups.
Assigning Unrestricted Roles to Predefined User Groups
You must assign an unrestricted tool-specific role, for example XiRep_Unrestricted or XiDir_Unrestricted, to predefined user groups without data-dependent restrictions. For these users, only standard J2EE security applies. Otherwise, users of these groups do not have any permission once the additional data-dependent authorization checks are activated.
Perform the following steps to assign a predefined unrestricted role to standard user groups.
...
...
1.
Start the AS Java
user
management console.
2. Choose Identity Management.
3. Search for the unrestricted role (for example XiRep_Unrestricted or XiDir_Unrestricted), and select it.
4. Choose Assigned Groups and then choose Modify.
5. Search for the relevant PI user groups (omit SAP_XI_DEMOAPP).
The relevant PI user groups are:
○ The ABAP dialog user roles listed and described in Dialog Users.
○ The roles of the PI service users listed and described in Service Users.
6. Select each relevant user group and choose Add.
7. Choose Save All Changes.
Activating Data-Dependent Authorization Checks
Perform the following steps to activate the additional, data-dependent authorization checks.
...
1. To access the exchange profile from the Integration Builder start page, choose Administration ® Exchange Profile.
2. Go to IntegrationBuilder ® IntegrationBuilder.Repository and select (if available) or create the property com.sap.aii.util.server.auth.activation.
3. Set the property com.sap.aii.util.server.auth.activation. to true and Save your settings.
4. Go to IntegrationBuilder ® IntegrationBuilder.Directory and repeat steps 2 and 3.
5. Choose All Properties to display and Refresh the properties of the Integration Builder.
6. Choose All Properties again and verify that the property com.sap.aii.util.server.auth.activation in the list of properties has the correct value.